Abelian varieties, theta functions and cryptography - Part...

Abelian varieties, theta functions and cryptographyPart 2

Damien Robert1

1LFANT team, INRIA Bordeaux Sud-Ouest

08/12/2010 (Bordeaux)

Outline

1 Abelian varieties and cryptography

2 Theta functions

3 Arithmetic

4 Pairings

5 Isogenies

6 Perspectives

Damien Robert (LFANT) Abelian varieties, theta functions and cryptography 08/12/2010 (Bordeaux) 2 / 31

Abelian varieties and cryptography

Outline


2 Theta functions

3 Arithmetic

4 Pairings

5 Isogenies

6 Perspectives


Abelian varieties and cryptography Discrete logarithm in cryptography

Discrete logarithm

Definition (DLP)Let G = ⟨⟩ be a cyclic group of prime order. Let x ∈ N and h = x .The discretelogarithm log(h) is x.

Exponentiation: O(log p). DLP: O(√p) (in a generic group).⇒ Public key cryptography⇒ Signature⇒ Zero knowledge

G = F∗p : sub-exponential attacks.⇒ Use G = A(Fq) where A/Fq is an abelian variety for the DLP.



Pairing-based cryptography

DefinitionA pairing is a bilinear application e ∶ G1 ×G1 → G2.

Identity-based cryptography [BF03].Short signature [BLS04].One way tripartite Diffie–Hellman [Jou04].Self-blindable credential certificates [Ver01].Attribute based cryptography [SW05].Broadcast encryption [Goy+06].

ExampleThe Weil and Tate pairings on abelian varieties are the only known examples ofcryptographic pairings.



Security of abelian varieties

# points DLP

1 O(q) O(q1/2)2 O(q2) O(q)

3 O(q3) O(q4/3) (Jacobian of hyperelliptic curve)O(q) (Jacobian of non hyperelliptic curve)

O(q) O(q2−2/) > log(q) L1/2(q)= exp(O(1) log(x)1/2 log log(x)1/2)

Security of the DLP

Weak curves (MOV attack, Weil descent, anomal curves).⇒ Public-key cryptography with the DLP: Elliptic curves, Jacobian of hyperelliptic

curves of genus 2.⇒ Pairing-based cryptography: Abelian varieties of dimension ⩽ 4.


Abelian varieties and cryptography Isogenies

Isogenies

DefinitionA (separable) isogeny is a finite surjective (separable) morphism between two Abelianvarieties.

Isogenies = Rational map + group morphism + finite kernel.

Isogenies⇔ Finite subgroups.

( f ∶ A→ B)↦ Ker f(A→ A/H) H

Example:Multiplication by ℓ (⇒ ℓ-torsion), Frobenius (non separable).


Abelian varieties and cryptography Isogenies

Cryptographic usage of isogenies

Transfert the DLP from one Abelian variety to another.

Point counting algorithms (ℓ-adic or p-adic)⇒ Verify a curve is secure.

Compute the class field polynomials (CM-method)⇒ Construct a secure curve.

Compute the modular polynomials⇒ Compute isogenies.

Determine End(A)⇒ CRT method for class field polynomials.


Theta functions

Outline


2 Theta functions

3 Arithmetic

4 Pairings

5 Isogenies

6 Perspectives


Theta functions Theta coordinates

Complex abelian varieties and theta functions of level n

(ϑ i)i∈Z(n): basis of the theta functions of level n. (Z(n) := Z/nZ)⇔ A[n] = A1[n]⊕ A2[n]: symplectic decomposition.

(ϑ i)i∈Z(n) = coordinates system n ⩾ 3coordinates on the Kummer variety A/ ± 1 n = 2

Theta null point: ϑ i(0)i∈Z(n) = modular invariant.

Example (k = C)Abelian variety over C: A = C/ (Z +ΩZ); Ω ∈H(C) the Siegel upper half space(Ω symmetric, ImΩ positive definite).

ϑ i := Θ [ 0i/n ] (z, Ω/n).


Theta functions Constructing theta functions

Jacobian of hyperelliptic curves

C ∶ y2 = f (x), hyperelliptic curve of genus . (deg f = 2 − 1)

Divisor: formal sum D = ∑ n iPi ,degD = ∑ n i .

Pi ∈ C(k).

Principal divisor:∑P∈C(k) vP( f ).P; f ∈ k(C).

Jacobian of C =Divisors of degree 0 modulo principal divisors + Galois action=Abelian variety of dimension .

Divisor class D⇒ unique representative (Riemann–Roch):

D =k

∑i=1(Pi − P∞) k ⩽ , symmetric Pi ≠ Pj

Mumford coordinates: D = (u, v)⇒ u =∏(x − x i), v(x i) = y i .Cantor algorithm: addition law.Thomae formula: convert between Mumford and theta coordinates of level 2 or 4.


Theta functions Constructing theta functions

The modular space of theta null points of level n (car k ∤ n)

Theorem (Mumford)The modular spaceMn of theta null points is:

∑t∈Z(2)

ax+tay+t ∑t∈Z(2)

au+tav+t = ∑t∈Z(2)

ax′+tay′+t ∑t∈Z(2)

au′+tav′+t ,

with the relations of symmetry ax = a−x .

Abelian varieties with a n-structure = open locus ofMn .If (au)u∈Z(n) is a valid theta null point, the corresponding abelian variety is givenby the following equations in Pn −1

k :

∑t∈Z(2)

Xx+tXy+t ∑t∈Z(2)

au+tav+t = ∑t∈Z(2)

Xx′+tXy′+t ∑t∈Z(2)

au′+tav′+t .


Theta functions Riemann relations

The differential addition law (k = C)

( ∑t∈Z(2)

χ(t)ϑ i+t(x + y)ϑ j+t(x − y)).( ∑t∈Z(2)

χ(t)ϑk+t(0)ϑ l+t(0)) =

( ∑t∈Z(2)

χ(t)ϑ−i′+t(y)ϑ j′+t(y)).( ∑t∈Z(2)

χ(t)ϑk′+t(x)ϑ l ′+t(x)).

where χ ∈ Z(2), i , j, k, l ∈ Z(n)(i′ , j′ , k′ , l ′) = A(i , j, k, l)

A = 12

⎛⎜⎜⎜⎝

1 1 1 11 1 −1 −11 −1 1 −11 −1 −1 1

⎞⎟⎟⎟⎠


Arithmetic

Outline


2 Theta functions

3 Arithmetic

4 Pairings

5 Isogenies

6 Perspectives


Arithmetic

Arithmetic with low level theta functions (car k ≠ 2)

Mumford Level 2 Level 4[Lan05] [Gau07]Doubling 34M + 7S 7M + 12S + 9m0 49M + 36S + 27m0Mixed Addition 37M + 6S

Multiplication cost in genus 2 (one step).

Montgomery Level 2 Jacobians Level 4Doubling 5M + 4S + 1m0 3M + 6S + 3m0

3M + 5S 9M + 10S + 5m0Mixed Addition 7M + 6S + 1m0

Multiplication cost in genus 1 (one step).


Arithmetic

Arithmetic with high level theta functions [LR10a]

Algorithms forAdditions and differential additions in level 4.Computing P ± Q in level 2 (need one square root). [LR10b]Fast differential multiplication.

Compressing coordinates O(1):Level 2n theta null point⇒ 1 + ( + 1)/2 level 2 theta null points.Level 2n⇒ 1 + level 2 theta functions.

Decompression: n differential additions.


Pairings

Outline


2 Theta functions

3 Arithmetic

4 Pairings

5 Isogenies

6 Perspectives


Pairings Miller algorithm

Pairings on abelian varieties

E/k: elliptic curve.Weil pairing: E[ℓ] × E[ℓ]→ µℓ .

P,Q ∈ E[ℓ]. ∃ fℓ ,P ∈ k(E), ( fℓ ,P) = ℓ(P − 0E).

eW ,ℓ(P,Q) =fℓ ,P(Q − 0E)fℓ ,Q(P − 0E)

.

Tate pairing: eT ,ℓ(P,Q) = fℓ ,P(Q − 0E).

Miller algorithm: pairing with Mumford coordinates.


Pairings Pairings with theta coordinates

TheWeil and Tate pairing with theta coordinates [LR10b]

P and Q points of ℓ-torsion.

0A P 2P . . . ℓP = λ0P0A

Q P ⊕ Q 2P + Q . . . ℓP + Q = λ1PQ

2Q P + 2Q

. . . . . .

ℓQ = λ0Q0A P + ℓQ = λ1QP

eW ,ℓ(P,Q) =λ1P λ

0Q

λ0P λ1Q.

eT ,ℓ(P,Q) = λ1Pλ0P.


Pairings Pairings with theta coordinates

Comparison withMiller algorithm

= 1 7M + 7S + 2m0 = 2 17M + 13S + 6m0

Tate pairing with theta coordinates, P,Q ∈ A[ℓ](Fqd ) (one step)

Miller Theta coordinates

Doubling Addition One step

= 1 d even 1M + 1S + 1m 1M + 1m 1M + 2S + 2md odd 2M + 2S + 1m 2M + 1m

= 2Q degenerate +denominator elimination 1M + 1S + 3m 1M + 3m 3M + 4S + 4mGeneral case 2M + 2S + 18m 2M + 18m

P ∈ A[ℓ](Fq), Q ∈ A[ℓ](Fqd ) (counting only operations in Fqd ).


Isogenies

Outline


2 Theta functions

3 Arithmetic

4 Pairings

5 Isogenies

6 Perspectives


Isogenies

Explicit isogeny computation

Given an isotropic subgroup K ⊂ A(k) compute the isogeny A↦ A/K. (Vélu’sformula.)Given an abelian variety compute all the isogeneous varieties. (Modularpolynomials.)Given two isogeneous abelian variety A and B find the isogeny A↦ B. (Clever useof Vélu’s formula⇒ SEA algorithm).


Isogenies Computing isogenies in genus 1

Vélu’s formula

TheoremLet E ∶ y2 = f (x) be an elliptic curve and G ⊂ E(k) a finite subgroup. Then E/G is givenby Y 2 = (X) where

X(P) = x(P) + ∑Q∈G∖0E

x(P + Q) − x(Q)

Y(P) = y(P) + ∑Q∈G∖0E

y(P + Q) − y(Q)

Uses the fact that x and y are characterised in k(E) by

v0E (x) = −2 vP(x) ⩾ 0 if P ≠ 0Ev0E (y) = −3 vP(y) ⩾ 0 if P ≠ 0E

y2/x3(0E) = 1

No such characterisation in genus ⩾ 2.


Isogenies Isogenies by going down in the level

The isogeny theorem

Theorem (Mumford)Let ℓ ∧ n = 1, and ϕ ∶ Z(n)→ Z(ℓn), x ↦ ℓ.x be the canonical embedding.Let K0 = A[ℓ]2 ⊂ A[ℓn]2.Let (ϑA

i )i∈Z(ℓn) be the theta functions of level ℓn on A = C/(Z +ΩZ).Let (ϑB

i )i∈Z(n) be the theta functions of level n of B = A/K0 = C/(Z + Ωℓ Z

).We have:

(ϑBi (x))i∈Z(n) = (ϑA

ϕ(i)(x))i∈Z(n)

Exampleπ ∶ (x0 , x1 , x2 , x3 , x4 , x5 , x6 , x7 , x8 , x9 , x10 , x11)↦ (x0 , x3 , x6 , x9) is a 3-isogeny betweenelliptic curves.


Isogenies Isogenies by going up in the level

The contragredient isogeny [LR10a]

y ∈ B

z ∈ A

π

x ∈ A

π

[ℓ]Let π ∶ A → B be the isogeny associated to(a i)i∈Z(ℓn). Let y ∈ B and x ∈ A be one of the ℓ

antecedents. Then

π(y) = ℓ.x




y ∈ B

z ∈ A

π

x ∈ A

π


antecedents. Then

π(y) = ℓ.x

1

Ω 3ΩR0

R1

R2

y




y ∈ B

z ∈ A

π

x ∈ A

π


antecedents. Then

π(y) = ℓ.x

1

Ω 3ΩR0

R1

R2

y x


Isogenies Isogenies in the same level

Changing level without taking isogenies

Theorem (Koizumi-Kempf)Let L be the space of theta functions of level ℓn and L′ the space of theta functions oflevel n.Let F ∈r (Z) be such that tFF = ℓ Id, and f ∶ Ar → Ar the corresponding isogeny.

We have L = f ∗L′ and the isogeny f is given by

f ∗(ϑL′

i1 ⋆ . . . ⋆ ϑL′ir ) = λ ∑( j1 , . . . , jr)∈K1(L′)×. . .×K1(L′)

f ( j1 , . . . , jr)=(i1 , . . . , ir)

ϑLj1 ⋆ . . . ⋆ ϑLjr

F = ( 1 −1−1 1 ) give the Riemann relations. (For general ℓ, use the quaternions.)

⇒ Go up and down in level without taking isogenies [Cosset+R].



Changing level and isogenies

CorollaryLet A = C/(Z +ΩZ) and B = C/(Z + ℓΩZ). We can express the isogenyA→ B, z ↦ ℓz of kernel K = 1

ℓZ/Z in term of the theta functions of level n on A and B:

ϑ [ 0i1 ] (ℓz, ℓΩn)ϑ [ 0i2 ] (0, ℓ

Ωn) . . . ϑ [ 0ir ] (0, ℓ

Ωn) =

∑t1 , . . . ,tr∈K

F(t1 , . . . ,tr)=(0,. . . ,0)

ϑ [ 0j1 ] (X1 + t1 ,Ωn) . . . ϑ [ 0jr ]

L (Xr + tr ,Ωn),

where X = F−1(ℓz, 0, . . . , 0).

RemarkWe compute the coordinates ϑ [ 0j i ] (X i + t i , Ωn ) not in A but in C thanks to thedifferential additions.



A complete generalisation ofVélu’s algorithm [Cosset+R]

Compute the isogeny B → Awhile staying in level n.O(ℓ) differential additions + O(ℓ) or O(ℓ2 for the changing level.The formulas are rational if the kernel K is rational.

Blocking part: compute K⇒ compute all the ℓ-torsion on B. = 2: ℓ-torsion, O(ℓ6) vs O(ℓ2) or O(ℓ4) for the isogeny.

⇒ Work in level 2.⇒ Convert back and forth to Mumford coordinates:

B A

Jac(C1) Jac(C2)

π


Perspectives

Outline


2 Theta functions

3 Arithmetic

4 Pairings

5 Isogenies

6 Perspectives


Perspectives

TheAGM and canonical lifts

The elliptic curves En ∶ y2 = x(x − a2n)(x − b2n) converges overQ2α to thecanonical lift of (E0)F2α [Mes01], where (an)n∈N, (bn)n∈N satisfy the ArithmeticGeometric Mean:

an+1 =an + bn

2bn+1 =

√anbn

Generalized in all genus by looking at theta null points [Mes02].Generalized in arbitrary characteristic p by [CL08] by looking at modular relationsof degree p2 on theta null points.

⇒ Point counting.⇒ Class polynomials.


Perspectives

Some perspectives

Improve the pairing algorithm (Ate pairing,optimal ate).Characteristic 2 [GL09].A SEA-like algorithm in genus 2?


References

Bibliography[BF03] D. Boneh and M. Franklin. “Identity-based encryption from the Weil pairing”. In: SIAM Journal

on Computing 32.3 (2003), pp. 586–615.

[BLS04] D. Boneh, B. Lynn, and H. Shacham. “Short signatures from the Weil pairing”. In: Journal ofCryptology 17.4 (2004), pp. 297–319.

[CL08] R. Carls and D. Lubicz. “A p-adic quasi-quadratic time and quadratic space point countingalgorithm”. In: International Mathematics Research Notices (2008).

[Gau07] P. Gaudry. “Fast genus 2 arithmetic based on Theta functions”. In: Journal of MathematicalCryptology 1.3 (2007), pp. 243–265.

[GL09] P. Gaudry and D. Lubicz. “The arithmetic of characteristic 2 Kummer surfaces and of ellipticKummer lines”. In: Finite Fields and Their Applications 15.2 (2009), pp. 246–260.

[Goy+06] V. Goyal, O. Pandey, A. Sahai, and B. Waters. “Attribute-based encryption for fine-grainedaccess control of encrypted data”. In: Proceedings of the 13th ACM conference on Computer andcommunications security. ACM. 2006, p. 98.

[Jou04] A. Joux. “A one round protocol for tripartite Diffie–Hellman”. In: Journal of Cryptology 17.4(2004), pp. 263–276.

[Lan05] T. Lange. “Formulae for arithmetic on genus 2 hyperelliptic curves”. In: Applicable Algebra inEngineering, Communication and Computing 15.5 (2005), pp. 295–328.

[LR10a] D. Lubicz and D. Robert. Computing isogenies between abelian varieties. HALhttp://hal.archives-ouvertes.fr/hal-00446062/. Jan. 2010. arXiv:1001.2016. url:http://www.normalesup.org/~robert/pro/publications/articles/isogenies.pdf.

[LR10b] D. Lubicz and D. Robert. “Efficient pairing computation with theta functions”. In: Lecture Notesin Comput. Sci. 6197 (Jan. 2010). Ed. by G. Hanrot, F. Morain, and E. Thomé. 9th InternationalSymposium, Nancy, France, ANTS-IX, July 19-23, 2010, Proceedings. doi:10.1007/978-3-642-14518-6_21. url:http://www.normalesup.org/~robert/pro/publications/articles/pairings.pdf. Slideshttp://www.normalesup.org/~robert/publications/slides/2010-07-ants.pdf.


http://hal.archives-ouvertes.fr/hal-00446062/

http://arxiv.org/abs/1001.2016

http://www.normalesup.org/~robert/pro/publications/articles/isogenies.pdf

http://dx.doi.org/10.1007/978-3-642-14518-6_21

http://www.normalesup.org/~robert/pro/publications/articles/pairings.pdf

http://www.normalesup.org/~robert/publications/slides/2010-07-ants.pdf

Perspectives Bibliography

[Mes01] J.-F. Mestre. Lettre à Gaudry et Harley. 2001. url: http://www.math.jussieu.fr/mestre.

[Mes02] J.-F. Mestre. Notes of a talk given at the Cryptography Seminar Rennes. 2002. url:http://www.math.univ-rennes1.fr/crypto/2001-02/mestre.ps.

[SW05] A. Sahai and B. Waters. “Fuzzy identity-based encryption”. In: Advances inCryptology–EUROCRYPT 2005 (2005), pp. 457–473.

[Ver01] E. Verheul. “Self-blindable credential certificates from the Weil pairing”. In: Advances inCryptology—ASIACRYPT 2001 (2001), pp. 533–551.


http://www.math.jussieu.fr/mestre

http://www.math.univ-rennes1.fr/crypto/2001-02/mestre.ps

Abelian varieties, theta functions and cryptography - Part...

Documents

Transcript of Abelian varieties, theta functions and cryptography - Part...